Telecommunications (Security) Bill (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
James Sunderland
Main Page: James Sunderland (Conservative - Bracknell)Department Debates - View all James Sunderland's debates with the Department for Digital, Culture, Media & Sport
Telecommunications (Security) Bill (Third sitting)
James Sunderland ExcerptsTuesday 19th January 2021
(3 years, 2 months ago)
Public Bill CommitteesRead Full debate Telecommunications (Security) Act 2021 View all Telecommunications (Security) Act 2021 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
Mr Jones
Q
Professor Webb: I think that has already been mooted. I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence, where the threats are analysed, assessed and understood. We have that, of course, in NCSC.
NCSC would advise Ofcom, perhaps at a high level. Perhaps they would not need to detail exactly what the issue was, but they could talk to Ofcom about the mitigation, and Ofcom could be the entity that performs the proportionality of understanding whether a threat needs to be addressed and to what extent, in the midst of all the other things. That is how I would arrange these organisations.
Emily Taylor: Thank you for this question, which goes to both the capabilities and the culture. With the capabilities, as I have said in earlier remarks, Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term, until there is a significant transfer of skills and technology, and in terms of the need for secrecy and a broader view.
Ofcom’s historical role has been much less interventionist than is foreseen in this piece of legislation. Those cultural changes go deep into the organisation and into the character of the people who work there. Cultural change is always difficult and takes time, so I would not underestimate the challenge.
James Sunderland (Bracknell) (Con)
Q
The Chair
You have about 30 seconds each, I am afraid.
Emily Taylor: I think it was inevitable after the US sanctions on semiconductor chips. It is something I regret, because the more difficult part is what we had being trying to do for 17 years, which is to treat all the networks as potentially vulnerable and adopt an evidence-based approach.
I do not think there is a going back from there. Unfortunately, the effect of the US sanctions has not just been on our domestic market. It will have hardened the resolve of China to have an entirely indigenous supply chain, and therefore will hasten exactly the outcomes that it is intended to avoid. We need a much more positive approach, investing in innovation and research, matching the capability and advocating for the benefits for a single, open and free internet.
Professor Webb: I do not have strong views. I think it depends, but clearly if it is high risk then it is probably appropriate to exclude them. The worry I have is that you end up focusing predominantly on vendors that you think are high risk, rather than on the overall security challenge, which will be across all vendors.
Mr Jones
Q
Dr Drew: I would agree with you. I believe that the decision needs to be taken on a security level first, because insecurity and the risk of a poorly made decision would have negative impacts on the economic outputs as well. I am not certain that where it is currently vested in this Bill is the best place for it, but I also believe that transparency is the other balancing component here. I have had some conversations with one of the companies mentioned quite predominantly in this literature, and their biggest press is that they feel that decisions are being made with a lack of transparency and a lack of technical justification, and that it is all politics. The best way to solve that is through transparency.
James Sunderland
Q
Dr Drew: It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
Chi Onwurah
Q
“to further the interests of citizens in relation to communications matters; and to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Do you think there is an argument to add a further security duty, if that is going to take such a large portion of Ofcom’s capacity?
Dr Drew: As to the second question first, I believe that security should be a component here. In fact, I believe it fits with what Ofcom is likely to be responsible for, and with the Online Harms White Paper as well. Security is fundamentally and inexorably linked with technology, culture and communications in the modern sense, so I believe that it would be important for that to be included as a key provision for DCMS.
With regard to the differences between fixed networks and 5G and the implications of this Bill, in the efficacy of its methodology towards the other, there are technical differences in how 5G operates right now and how we perceive the next generation of telecommunications to operate, but those differences will change over time, I believe. They will become less distinct. It is likely that fixed networks will move towards the concept of computing on the edge, and this is indeed already happening in some senses.
As for the actual efforts to control security risk, I do not see any major differences between telecommunications suppliers and fixed network suppliers. There is the same potential risk. You mentioned the SolarWinds hack earlier. That was a fixed network supplier in a way—it was not telecommunications—but there was the same risk involved and the same means of access, through a diversified chain with limited oversight at Government level, because it is a private sector actor with limited responsibilities. That is as true in that case as it would be for a fixed network with Cisco, and as it would be with a telecoms provider by ZTE, Huawei, Ericsson or any other. I do not think there is a significant technical difference to mean that the goals and direction of this Bill could not, and perhaps should not, be applied to others.
Chi Onwurah
Q
Can I come on to duties? I have the Communications Act here, which has got a lot thicker since I left Ofcom. The two duties are the “interests of citizens” and the “interests of consumers” with regard to competition, but there is not a duty on security. Does that not suggest that if there is a conflict between competition or communication matters, that will be prioritised over security if there is not an explicit duty to maintain the security of our networks?
Lindsey Fussell: I think this legislation quite clearly does place explicit duties on us to monitor and enforce the compliance of operators on network security requirements. I do not see that there is any risk that we would downplay the importance of that duty in comparison with others. Clearly, it is for the Government to put forward any changes to legislation to change the balance of our duties or to add new ones, but I think the Government—and, indeed, Parliament—are asking us very clearly to take on those responsibilities through this new legislation.
To pick up on a point I made earlier, in terms of the interests of citizens and consumers, it is important to say that of course it is in the interest of citizens and consumers to have excellent networks functioning that provide them with great connectivity. If we have learned anything from this most recent period, it is how important connectivity is to everybody’s daily life. Of course, that comes across in pricing and support for more vulnerable consumers, and all those other things that we have responsibility for in telecoms.
Actually, promoting secure networks is absolutely in the interests of consumers and citizens as well, not just because of the really damaging consequences of cyber-attacks, but because, ultimately, if we are able to have better networks, that should enable greater economic innovation through 5G use cases and things like that, for example. I think in promoting the interests of citizens and consumers, telecoms security is clearly part of that.
James Sunderland
Q
Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.
In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.
The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.
Matt Warman
Q
Lindsey Fussell: Yes, of course, I am very happy to do that. As you say, we have responsibility now to monitor and enforce compliance on security. The difference, which is why I think this legislation is so welcome, is that at present we do not have any obligations set out as to how operators need to meet those security requirements. It has been basically up to them to decide what is necessary. While many companies have invested very heavily in their security—I would not want to suggest otherwise—clearly there is a journey to go on and improvements that need to be made. It is very welcome that we now have this much clearer framework, so that operators know what they need to do and we can enforce against it.
The other point that is worth bringing out is that, at present, operators are under a requirement to report incidents to us, but the nature of that reporting tends to be around incidents that cause outages. We do get a lot of those—caused not just by cyber-security but by wind, weather and other issues. Quite a lot of cyber-security incidents are, frankly, precisely designed not to cause outages, because it is in the interests of the malicious actor to allow the network to keep operating while they do whatever they are up to. The new requirements on operators are to tell us not just if there is an outage but if there is an incident where they believe their system may have been compromised. They are wider ranging and welcome powers.